• Home
• Login with External IDP
• SimpleSAML as IDP Setup Guide

Configure SimpleSAML as SAML IDP for SSO

---

miniOrange Identity Broker service solution enables cross protocol authentication. You can configure SimpleSAML as an IDP for Single Sign-On (SSO) into your applications/websites. Here, SimpleSAML will act as an Identity Provider (IDP) and miniOrange will act as a broker.

We offer a pre-built solution for integrating with SimpleSAML, making it easier and quick to implement. Our team can also help you set up SimpleSAML as SAML IDP to login into your applications.

Prerequisite:

• To get started you need to have an active SimpleSAML account with administrator rights for your organization.
• Get the miniOrange SP metadata that you will require in the first step. For this, go to the miniOrange Admin Console >> Identity Providers >> Add Identity provider. Under Choose Identity Provider, select SAML from the dropdown and go to SAML Provider. Then click on the Click here link.



• Click on Show metadata Details under For SP - Initiated SSO. Click on Download Metadata. You will require this in SimpleSAML console at Step 2.

Steps to setup SimpleSAML as an IDP and miniOrange as a Service Provider (SP) for SSO login

1. Configure SimpleSAML as IDP in miniOrange

• Go back to the miniOrange Admin console and navigate to Identity Providers in the left navigation menu. Then, click on Add Identity Provider button.



• In Choose Identity Provider, select SAML from the dropdown.



• Search for SAML Provider.



• Enter appropriate IDP Name. Also add following details:

  IDP Entity ID	Identity Provider Issuer from SimpleSAML
  SAML SSO Login URL	Identity Provider Single Sign-On URL from SimpleSAML
  X.509 Certificate	X.509 Certificate from SimpleSAML
  Single Logout URL [Optional]	Single Logout URL from SimpleSAML




• Few other optional features that can be added to the Identity Provider(IDP) are listed in the table below:

  Domain Mapping	Can be used to redirect specific domain user to specific IDP
  Show IdP to Users	Enable this if you want to show this IDP to all users during Login
  Send Configured Attributes	Enabling this would allow you to add attributes to be sent from IDP




• Click on Save.

2. Configure miniOrange as Service Provider (SP) in SimpleSAML

• In config/config.php, make sure that 'enable.saml20-idp' is true. Example: ‘enable.saml20-idp’ => true
• In metadata/saml20-idp-hosted.php, configure SimpleSAML as Identity Provider like this: $metadata['__DYNAMIC:1__'] = [ 'host' => '__DEFAULT__', /* X.509 key and certificate. Relative to the cert directory.*/ 'privatekey' => '<YOUR_PRIVATE_KEY_FILE_NAME>',    //eg. RSA_Private_Key.pem 'certificate' => '<YOUR_PUBLIC_KEY_FILE_NAME>',    //eg. RSA_Public_Key.cer /* Authentication source to use. Configured in 'config/authsources.php'. */ 'auth' => '<YOUR_AUTH_SOURCE_NAME>' ];
• In metadata/saml20-sp-remote.php, register your Service Provider like this:
  /* Replace example.com with your wordpress domain name. */ $metadata['https://example.com/miniorange-saml-20-single-sign-on/'] = [ 'AssertionConsumerService' => 'https://example.com/', 'SingleLogoutService' => 'https://example.com/', 'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress', 'simplesaml.nameidattribute' => 'mail', 'simplesaml.attributes' => true, 'attributes' => array('mail', 'givenname', 'sn', 'memberOf'), ];
• Here, you can also add user attributes you want to send from SimpleSAML to your Service Provider i.e miniOrange.
• Go to SimpleSAMLphp homepage of installation.
  The URL of an installation can be e.g.: https://service.example.com/simplesaml/ where service.example.com has to be replaced by your SimpleSAMLphp path. (Note: The installation page URL may differ depending on how SimpleSAML installation has been done)
• Now go to Federation tab and click on Show Metadata for SAML 2.0 IdP Metadata.



• You can get the IdP metadata from here which will be required to configure the SimpleSAML in miniOrange.

You have successfully configured SimpleSAML as SAML IdP (Identity Provider) for achieving SimpleSAML SSO login.

3. Test Connection

• Visit your Login Page URL.
• Go to Identity Providers tab.
• Search for your app, click the three dots in the Actions menu, and select Test Connection against the Identity Provider (IDP) you configured.



• On entering valid SimpleSAML credentials (credentials of user assigned to app created in SimpleSAML), you will see a pop-up window which is shown in the below screen.



• Hence your configuration of SimpleSAML as IDP in miniOrange is successfully completed.

Configure Attribute Mapping

• Go to Identity Providers.
• Click the three dots in the Actions menu, and select Attribute Mapping against the Identity Provider (IDP) you configured.

• Attribute Type - USER
• Attribute Type - EXTERNAL

Maps information, such as email and username, during Just-In-Time (JIT) user creation. Email and Username attributes are necessary to create the user profile.

• Click on the + Add Attribute button to add the attribute fields.



• Check the attributes in the Test Connection window from the previous step. Choose any attribute names you want to send to your application under Attribute Name sent to SP.
• Enter the values of the attributes coming from IdP into the Attribute Name from IdP field on the Xecurify side.

EXTERNAL mappings help alter incoming attribute names before sending them to apps, ensuring that the data is in the correct format.

• Click on the + Add Attribute button to add the attribute fields.



• Check attributes in test connection window from last step. Enter the attribute names (any name) that you want to send to your application under Attribute Name sent to SP.
• Enter the value of attributes that are coming from IdP into the Attribute Name from IdP field on the Xecurify side.